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Abstract — We propose an approach for constructing secret and 
private keys based on the long-known Slepian-Wolf code, due to 
Wyner, for correlated sources connected by a virtual additive 
noise channel. Our work is motivated by results of Csiszar 
and Narayan which highlight innate connections between secrecy 
generation by multiple terminals that observe correlated source 
signals and Slepian-Wolf near-lossless data compression. Explicit 
procedures for such constructions and their substantiation are 
provided. The performance of low density parity check channel 
codes in devising a new class of secret keys is examined. 

Index terms: Secret key construction, private key construction, 
secret key capacity, private key capacity, Slepian-Wolf data 
compression, binary symmetric channel, maximum likelihood 
decoding, LDPC codes. 



I. Introduction 

The problem of secrecy generation by multiple terminals, 
based on their observations of separate but correlated signals 
followed by public communication among themselves, has 
been investigated by several authors ( ||23l . 0, Q, among 
others). It has been shown that these terminals can generate 
secrecy, namely "common randomness" which is kept secret 
from an eavesdropper that is privy to said public commu- 
nication and perhaps also to additional "wiretapped" side 
information. 

Our work is motivated by [8| which studies secrecy genera- 
tion for multiterminal "source models" with an arbitrary num- 
ber of terminals, each of which observes a distinct component 
of a discrete memoryless multiple source (DMMS). Specif- 
ically, suppose that d > 2 terminals observe, respectively, 
n independent and identically distributed (i.i.d.) repetitions 
of finite-valued random variables (rvs) X\, . . . , Xg, denoted 
by Xi,...,X d , where X; = (Xa, . . . , X in ) , i = l,...,d. 
Thereupon, unrestricted and noiseless public communication 
is allowed among the terminals. All such communication 
is observed by all the terminals and by the eavesdropper. 
The eavesdropper is assumed to be passive, i.e., unable to 
tamper with the public communication of the terminals. In 
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this framework, two models considered in [ 8 1 dealing with a 
secret key (SK) and a private key (PK) are pertinent to our 
work. 

(i) Secret key: Suppose that all the terminals in {l,...,d} 
wish to generate a SK, i.e., common randomness which is 
concealed from the eavesdropper with access to their public 
communication and which is nearly uniformly distributed Q. 
The largest (entropy) rate of such a SK, termed the SK capacity 
and denoted by Cs, is shown in [8| to equal 



Cs — H{X\, • • • , Xd) — i?ri 
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H{{X , j&B}\{Xj, i€B c }),Bc{l r . ,d}},(3) 
where B c = {!,-■■ ,d}\B. 

(ii) Private key: For a given subset A C {1, • • • ,d}, a PK 
for the terminals in A, private from the terminals in A c , is a 
SK generated by the terminals in A with the cooperation of 
the terminals in A c , which is concealed from an eavesdropper 
with access to the public interterminal communication and also 
from the cooperating terminals in A c (and, hence, private) 0. 
The largest (entropy) rate of such a PK, termed the PK capacity 
and denoted by Cp(A), is shown in (8| to be 



C P (A)=H(X U --- ,X d )-H({Xi, ie A c })- 
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with 



K(A) = {{R u ieA}:J2^> 



ieB 

H({X jt j e B}\{Xj, j G B c }), B c A}. (6) 

The expressions in ([TJ-fO and (IUi-© afford the following 
interpretation [8|. The joint entropy H (X%, . . . ,Xd) in (Q]i 

'in (8), a general situation is studied in which a subset of the terminals 
generate a SK with the cooperation of the remaining terminals. 
2 Here, C denotes a proper subset. 

3 A general model is considered in (§] for privacy from a subset of A c of 
the cooperating terminals. 
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corresponds to the maximum rate of shared common random- 
ness - sans secrecy constraints - that can ever be achieved 
by the terminals in {1, . . . , d} when each terminal becomes 
omniscient, i.e., reconstructs all the components of the DMMS 
with probability = 1 as the observation length n becomes 
large. Further, R m in in ©, ® corresponds to the smallest 
aggregate rate of interterminal communication that enables 
every terminal to achieve omniscience [8|. Thus, from (Q]), the 
SK capacity Cs, i.e., largest rate at which all the terminals in 
{1, . . . , d} can generate a SK, is obtained by subtracting from 
the maximum rate of shared common randomness achievable 
by these terminals, viz. H(X\, ■ ■ ■ ,Xd), the smallest overall 
rate R m in of the (data-compressed) interterminal communica- 
tion that enables all the terminals to become omniscient. A 
similar interpretation holds for the PK capacity Cp(A) in 
as well, with the difference that the terminals in A c , which 
cooperate in secrecy generation and yet must not be privy 
to the secrecy they help generate, can be assumed - without 
loss of generality - to simply "reveal" their observations [8]. 
Hence, the entropy terms in (Q]), (f3]) are now replaced in ©, 
© with additional conditioning on {Xi, i € A c }. It should 
be noted that R m in and R m i n (A) are obtained as solutions 
to multiterminal Slepian-Wolf (SW) (near-lossless) data com- 
pression problems not involving any secrecy constraints. 

The form of characterization of the SK and PK capacities 
in (fl]i and (|4|i also suggests successive steps for generating 
the corresponding keys. For instance, and loosely speaking, in 
order to generate a SK, the terminals in {1, . . . , d} first gen- 
erate common randomness (without any secrecy restrictions) 
using SW-compressed interterminal communication denoted 
collectively by, say, F. Thus, the terminals generate rvs 
U = Li{Xi,F), i e {l,...,d}, with ±#(Li) > 0, which 
agree with probability = 1 for n suitably large; suppressing 
subscripts, let L denote the resulting "common" rv where 
^H(L) > 0. The second step entails an extraction from L 
of a SK K — g(L) of entropy rate -^H(L\F) by means of a 
suitable operation g performed identically at each terminal on 
the acquired common randomness L. In particular, when the 
common randomness acquired by the terminals corresponds to 
omniscience, i.e., L = (Xi, . . . , X^), and is achieved using 
interterminal communication F of the most parsimonious rate 
— Rmin in ©, then the corresponding SK K = g(L) has the 
best rate Cs given by ([T). It is important to note, however, 
that as mentioned in ([8|, Section VI) and already known 
from [23 1, [2], neither communication by every terminal nor 
omniscience is essential for generating secrecy (SK or PK) at 
the best rate; for instance, the rv L above need not correspond 
to omniscience for the SK K — g{L) to have the best possible 
rate in |[T). 

A similar approach as above can be used to generate a PK 
of the largest rate in 

The discussion above suggests that techniques for SW data 
compression could be used to devise constructive schemes 
for obtaining SKs and PKs that achieve the corresponding 
capacities. Further, in SW data compression, the existence of 
linear encoders of rates arbitrarily close to the SW bound has 
been long known |5|. In the special situation when the i.i.d. 
sequences observed at the terminals are related to each other in 



probability law through virtual discrete memoryless channels 
(DMCs) characterized by independent additive noises, such 
linear SW encoders can be obtained in terms of cosets of 
linear error correction codes for such virtual channels, a fact 
first illustrated in [37| for the case of d = 2 terminals 
connected by a virtual binary symmetric channel (BSC), and 
later exploited in most known linear constructions of SW 
encoders (cf. e.g., Q, E), ED, E), HU-lE), flU, ED, 
ED, J29), (33)). When the i.i.d. sequences observed by d = 2 
terminals are connected by an arbitrary virtual DMC, the 
corresponding SW data compression can be viewed in terms 
of coding for a "semisymmetric" channel, i.e., a channel with 
independent additive noise that is defined over an enlarged 
alphabet [14]; the case of stationary ergodic observations at 
the terminals is also considered therein. These developments 
in SW data compression can translate into an emergence of 
new constructive schemes for secrecy generation. 

Motivated by these considerations, we seek to devise new 
constructive schemes for secrecy generation in source models 
in which SW data compression plays a central role. The main 
technical contribution of this work is the following: Consider- 
ing four simple models of secrecy generation, we show how 
a new class of SKs and PKs can be devised for them at rates 
arbitrarily close to the corresponding capacities, relying on the 
SW data compression code in 11371 . Additionally, we examine 
the performance of low density parity check (LDPC) codes 
in the SW data compression step of the procedure for secrecy 
generation. Preliminary results of this work have been reported 
in ll38l . ll39l . In independent work ll25l for the case of d = 2 
terminals which is akin to but different from ours, extraction 
of a SK from previously acquired common randomness by 
means of a linear transformation has been demonstrated. 

In related work, SK generation for a source model with two 
terminals that observe continuous-amplitude signals, has been 
studied in fl40l, ||36), ED, E), EJ. Furthermore, in recent 
years, several secrecy generation schemes have been reported, 
relying on capacity-achieving channel codes, for "wiretap" 
secrecy models that differ from ours. For instance, it was 
shown in [35| that such a channel code can attain the secrecy 
capacity for any wiretap channel. See also Q, lfl8l . 

The paper is organized as follows. Preliminaries are con- 
tained in Section II. In Section III, we consider four simple 
source models for which we provide elementary constructive 
schemes for SK or PK generation which rely on suitable SW 
data compression codes; the keys thereby generated are shown 
to satisfy the requisite secrecy and rate-optimality conditions 
in Section IV. Implementations of these constructions using 
LDPC codes are illustrated in Section V which also reports 
simulation results. Section VI contains closing remarks. 

II. Preliminaries 

A. Secret Key and Private Key Capacities 

Consider a DMMS with d > 2 components, with corre- 
sponding generic rvs X\ , Xd taking values in finite al- 
phabets X\, ■ ■ ■ , Xd, respectively. Let X^ = (.Xj i, • • • , Xi iTl ) 
be n i.i.d. repetitions of rv X„ i G V = {1, ••• ,d}. 
Terminals 1, • • • , d, with respective observations Xi, • • • , X^, 
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represent the d users that wish to generate a SK by means 
of public communication. These terminals can communicate 
with each other through broadcasts over a noiseless public 
channel, possibly interactively in many rounds. In general, a 
communication from a terminal is allowed to be any function 
of its observations, and of all previous communication. Let F 
denote collectively all the public communication. 

Given e > 0, the rv Kg represents an e-secret key (e-SK) for 
the terminals in T>, achieved with communication F, if there 
exist rvs Ki = iTj(Xj,F), i G T>, with Ki and Kg taking 
values in the same finite set K-s, such that Kg satisfies 

• the common randomness condition 

Pr{Ki =K S , iEV}>l-e; 

• the secrecy condition 

-I{K S A F) < e; 
n 

and 

• the uniformity condition 

-H(K S ) > -log|/C s |-£. 
n n 

Let A C V be an arbitrary subset of the terminals. The rv 
K-p(A) represents an e-private key (e-PK) for the terminals 
in A, private from the terminals in A c = T>\A, achieved with 
communication F, if there exist rvs Ki = ^(X^F), i £ 
A, with Ki and K-p(A) taking values in the same finite set 
IC-p(A), such that K-p(A) satisfies 

• the common randomness condition 

Pr{Ki = K V {A), i £ A} > 1 - e; 

• the secrecy condition 

-I(K v (A)A{Xi, ieA c },F)<e; 
n 

and 

• the uniformity condition 

-H(K V (A)) > -\og\K v (A)\ -e. 
n n 

Definition 1 (8): A nonnegative number R is called an 
achievable SK rate if e„-SKs K s are achievable with suitable 
communication (with the number of rounds possibly depend- 
ing on n), such that e n -> and \H (k^A -4 R. The 
largest achievable SK rate is called the SK capacity, denoted 
by Cs- The PK capacity for the terminals in A, denoted by 
Cp(A), is similarly defined. An achievable SK rate (resp. 
PK rate) will be called strongly achievable if e n above can 
be taken to vanish exponentially in n. The corresponding 
capacities are termed strong capacities. 

Single-letter characterizations have been obtained for Cs 
in the case of d = 2 terminals in (2), ll23l and for d > 2 
terminals in |8|, given by CO; and for Cp(A) in the case 
of d = 3 terminals in and for d > 3 terminals in (8), 
given by ©. The proofs of the achievability parts exploit 
the close connection between secrecy generation and SW 
data compression. Loosely speaking, common randomness 



sans any secrecy restrictions is first generated through SW- 
compressed interterminal communication, whereby all the d 
terminals acquire a (common) rv with probability = 1. In the 
next step, secrecy is then extracted by means of a suitable 
identical operation performed at each terminal on the acquired 
common randomness. When the common randomness initially 
acquired by the d terminals is maximal, the corresponding SK 
has the best rate Cs given by (HJ. 

In this work, we consider four simple models for which we 
illustrate the constructions of appropriate strong SKs or PKs. 

B. Linear Codes for the Binary Symmetric Channel 

The SW codes of interest will rely on the following classic 
result concerning the existence of "good" linear channel codes 
for a BSC. A BSC with crossover probability p, < p < \, 
will be denoted by BSC(p). Let h(p) = —p\og 2 p — (1 — 
p) log 2 (l — p) denote the binary entropy function. 

Lemma 1 J9): For every e>0, 0<p<|, and for all n 
sufficiently large, there exists a binary linear (n, n — m) code 
for a BSC(p), with m < n[h(p) + e], such that the average 
error probability of maximum likelihood decoding is less than 
2~"'', for some r] > 0. ■ 

C. Types and Typical Sequences 

The following standard facts regarding "types" and "typical 
sequences" and their pertinent properties (cf. e.g., @) are 
compiled here in brief for ready reference. 

Given finite sets X, y, the type of a sequence x = 
(x-y,--- ,x n ) £ X n , X a finite set, is the probability mass 
function (pmf) P x on X given by 

Px(a) = ■ Xi = a}\, a e X, 
n 

and the joint type of a pair of sequences (x, y) £ X n x y n is 
the joint pmf P xy on X x y given by 

P xy (a, b) = : xt = a,yi = b}\, a £ X, bey. 
n 

The numbers of different types of sequences in X n (resp. X n x 
y n ) do not exceed (n + l) 1 * 1 (resp. (n + l)l*H y l). 

Given rvs X, Y (taking values in X, y, respectively), with 
joint pmf Pxy on X x y, the set of sequences in X n which 
are X-typical with constant £, denoted by T x ^, is defined as 

T x>i = {x £ X n : 2-"[ ff W+«] < P£(x) < 2-"^)-?]} , 

where P£(x) = Pr{X = x}, x £ X n ; and the set of pairs of 
sequences in X n x y n which are XY -typical with constant 
£, denoted by T XY is defined as 

ixy,i = {( x > y) e x " x y n ■■ x e T x,oy e t y,v 

2 -n[H(X,Y)+i] < p« y ( x , y ) < 2 -»[ff(^)-C]}, 

where PjJ y (x,y) = Pr{X = x, Y = y}, x £ X n , y 6 y n . 
It readily follows that for every (x, y) £ T XY £> 

2 -n[H(X\Y)+2Q < pn ( x |y) < 2 ~ n l H ( x \ Y )- 2 Z\ 
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where P" |F (x|y) = Pr{X = x|Y = y},x£ X n , y e y n . 

For every y S y n , the set of sequences in X n which are 
X\Y -typical with respect to y with constant £, denoted by 
TJ| Y ^(y), is defined as 

T^(y)^{x6*":(x,y)eTj^J, 

with T'x ]Yi (y) = </> if y T£ e The following is an 
independent and explicit statement of the well-known fact that 
the probability of a nontypical set decays to exponentially 
rapidly in n (cf. e.g., Il42l Theorem 6.3]). 

Proposition 1: Given a joint pmf Pxy on X x y with 
Pxy(x, y) > 0, x G X, y e y, for every £ > 0, 

s 2 

f 5 p-rr 

P£(x) >l-(n+ 1)1*1-2 21n2 F<*^ los 73FwJ f (7) 

xeT £,e 
and 

E p xr(x,y) 
(x,y)er» vc 

f s ; p- 

> 1- (n + l) lx ^ w -2 21n2 l E (^>^xy'° E ^ (a , 6) j ) (8) 
for all n > 1. 

Proof: See Appendix A. ■ 

III. Main Results 

We now present our main results on SK generation for three 
specific models, and PK generation for a fourth model. The 
proofs of the accompanying Theorems 1-4 are provided in 
Section IV. 

Model 1: Let the terminals 1 and 2 observe, respectively, n 
i.i.d. repetitions of the {0, 1} -valued rvs Xi and X 2 with joint 
pmf 

Px 1 x 2 (xi,x 2 ) = ~(1 -p)S xl x 2 + \p (1 - S X1X3 ), 

°<P<\> (9) 

with d being the Kronecker delta function. These terminals 
wish to generate a strong SK of maximum rate. 

The (strong) SK capacity for this model J2), E), 11231 . given 
by ©, is 

C s =I{X 1 AX 2 ) = l-h(jp). 

We show a simple scheme for the terminals to generate a SK 
with rate close to 1 — h(p), which relies on Wyner's well- 
known method for SW data compression ll3~7l . The SW prob- 
lem of interest entails terminal 2 reconstructing the observed 
sequence xi at terminal 1 from the SW codeword for xi and 
its own observed sequence X2. 

Observe that under the given joint pmf (0, X 2 can be 
considered as an input to a virtual BSC(p), with corresponding 
output Xi, i.e., we can write 

X 1= X 2 ©V, (10) 

where V = (Vi, • ■ • , V n ) is an i.i.d. sequence of {0, l}-valued 
rvs, independent of X 2 , and with Pr{Vi — 1} = p, 1 < i < n. 



(i) SW data compression 1371 : Let C be a linear (n, n—m) code 
as in Lemma 1 with parity check matrix P. Both terminals 
know C (and P). Terminal 1 communicates the syndrome 
Px* to terminal 2. The maximum likelihood estimate of xi 
at terminal 2 is: 

x 2 (l) = x 2 e/ P (Px t 1 ©Px*), 

where /^(Px^ffiPx^) is the most likely sequence v S {0, 1}™ 
(under the pmf of V as above) with syndrome Pv' = 
Px*©Px 2 , with © denoting addition modulo 2 and t denoting 
transposition. Note that in a standard array corresponding to 
the code C above, /p(Px* © Px|) is simply the coset leader 
of the coset with syndrome Px^ © Px 2 . Also, xi and x 2 (l) 
lie in the same coset. 

The probability of decoding error at terminal 2 is given by 

Pr{X 2 (l) ^ Xx} - Pr{X 2 © / P (PX* © PX*) ^ XJ, 

and it readily follows from (TTOb that 

Pr{X 2 (l) + XJ = Pr{/ P (PV*) ± V}. 

By Lemma 1, Pr{/ P (PV*) / V} < 2~'"' for some rj > 
and for all n sufficiently large, so that 

Pr{X 2 (l) =Xi} > 1- 2 _m) . 

(ii) SK construction: Consider a (common) standard array for 
C known to both terminals. Denote by a^,, the element of the 
i th row and the j th column in the standard array, 1 < i < 2 m , 
1 < j < 2 n ~ m . 

Terminal 1 sets K\ = j\ if Xi equals a.ij 1 in its coset i in 
the standard array. Terminal 2 sets K 2 = j 2 if X 2 (l) equals 
&i ,j 2 in the coset i of the same standard array. 

The following theorem asserts that K\ constitutes a strong 
SK with rate approaching SK capacity. 

Theorem 1: Let s > be given. Then for some rj > and 
for all n sufficiently large, the pair of rvs (Ki,K 2 ) generated 
above, with (common) range /Ci (say), satisfy 

Pr{X! = K 2 } > 1 - 2- n \ (11) 

I(JfiAF)=0, (12) 

i?(X 1 ) = log|/C 1 |, (13) 

and 

-H{K X ) > 1 - h(p) - e. (14) 
n 

Remark: The probability of Ki differing from K 2 equals 
exactly the average error probability of maximum likelihood 
decoding when C is used on a BSC(p). Furthermore, the gap 
between the rate of the generated SK and SK capacity equals 
the gap between the rate of C and channel capacity. 

Model 2: Let the terminals 1 and 2 observe, respectively, n 
i.i.d. repetitions of the {0, l}-valued rvs with joint pmf 

P Xl x 2 (0,0) = (l-p)(l-g), 

Px 1 x 2 (0A) = pq, 

P Xl x 2 (l,0) = p(l-q), 

P Xl x 2 (l,l) = q(l-p), (15) 
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with < p < i and < q < 1. These terminals wish to 
generate a strong SK of maximum rate. 

Note that Model 1 is a special case of Model 2 for q ~ ^- 
We show below a scheme for the terminals to generate a SK 
with rate close to the (strong) SK capacity for this model 0, 
E), ll23l . which is given by (HJ as 

C s = I{X t A X 2 ) = h(p + q- 2pq) - h(p). 

(i) SW data compression: This step is identical to step (i) for 
Model 1. Note that under the given joint pmf (ITSh . Xi and 
X2 can be written as in ( fTob . It follows in the same manner 
as for Model 1 that for some 7/ > and for all n sufficiently 
large, 

Pr{X 2 (l) = Xi} > 1 - 2- nr >. 

(ii) SK construction: Both terminals know the linear (n, n — m) 
code C as in Lemma 1, and a (common) standard array for C. 
Let {e,; : 1 < i < 2 rn } denote the set of coset leaders for all 
the cosets of C. 

Denote by Ai the set of sequences from Tj^ ^ in the coset of 
C with coset leader e^, 1 < i < 2™. If the number of sequences 
of the same type in Ai is more than 2 n \- I ( XlAX2 * > ~ e \ where 
e' > £ + £ with e satisfying m < n[h(p)+e] in Lemma 1, then 
collect arbitrarily 2™[ / ( XlAX2 )~ e 1 such sequences to compose 
a subset, which we term a regular subset (as it consists of 
sequences of the same type). Continue this procedure until 
the number of sequences of every type in Ai is less than 
2n[i(x l AX 2 )-e']_ Let ^ denote the number of distinct regular 
subsets of Ai. 

Enumerate (in any way) the sequences in each regular 
subset. Let b ijj/c , where 1 < i < 2 m , 1 < j < N i7 
1 < k < 2™[ / ( x i AX 2)- £ 'l, denote the k th sequence of the 
jth j-ggQjaj- subset in the i th coset (with coset leader ej. 

Terminal 1 sets K\ = k\ if Xi equals bj ) j I) fc I ; else, K\ is 
set to be uniformly distributed on |l, • • • , 2 n ^ I( - XlAX2 ^ £ '^ j, 

independent of (Xi,X2). Terminal 2 sets K 2 — k 2 if X2(l) 
equals bjj- 2i fc 2 ; else, K 2 is set to be uniformly distributed on 
)2 n [ J ( XlA ^)- e ']|, independent of (Xi,X 2 ,ifi). 

The following theorem says that K\ constitutes a strong SK 
with rate approaching SK capacity. 

Theorem 2: Let e > be given. Then for some 77' = 
rj'(r), £, e, e') > and for all n sufficiently large, the pair of 
rvs (K\,K2) generated above, with range Ki (say), satisfy 

Pr{Xx =K 2 ] > 1-2-""', (16) 

I(K 1 AF) = 0, (17) 

H{K 1 )=\og\K 1 \, (18) 

and 

-H(K!) = h{p + q- 2pq) - h{p) - e'. (19) 

71 

The next model is an instance of a Markov chain on a tree 
(cf. [13), El). Consider a tree T with vertex set V(T) = 
{1, ■ • • ,d} and edge set E(T). For e E(T), let B{i <- 
j) denote the set of all vertices connected with j by a path 



containing the edge (7, j). The rvs Xi , ■ ■ ■ , X^ form a Markov 
chain on the tree T if for each (i, j) G E(T), the conditional 
pmf of Xj given {Xi, I g B(i <— j)} depends only on X^ (i.e., 
is conditionally independent of {Xi,l g _B(? <— 
conditioned on XJ. Note that when T is a chain, this concept 
reduces to that of a standard Markov chain. 

Model 3: Let the terminals 1, • • • , d observe, respectively, n 
Ltd. repetitions of {0, l}-valued rvs Xi, • • • , Xd that form a 
Markov chain on the tree T, with joint pmf Px 1 - x d specified 
as:for(i,j)€E(T), 

Px t x J (x l ,x j ) = -(1 - P(i,j))5 XiXj + (1 - 5 XiXj ), 

<P(i,j) < 2' 

for Xi,Xj G {0,1}. These d terminals wish to generate a 
strong SK of maximum rate. 

Note that Model 1 is a special case of Model 3 for d = 2. 
Without any loss of generality, let 

Pmax=P( i *, j ») = maa > P(i,j)- 

Then, the (strong) SK capacity for this model [8| is given by 
(]} as 

Cs = I(Xi* A Xj* ) = l-h{ Pmax ). 

We show how to extract a SK with rate close to 1 — h(p max ) 
by using an extension of the SW data compression scheme of 
Model 1 for reconstructing at all the terminals. 

(i) SW data compression: Let C be the linear (71, n—m) code as 
in Lemma 1 for a BSC(p max ), and with parity check matrix P. 
Each terminal i communicates the syndrome Px*, 1 < i < d. 

Let X-i(j) denote the corresponding maximum likelihood 
estimate of x 3 at terminal i, 1 < i ^ j < d. For a terminal 
7 7^ 7*, denote by (70, it, - ■ ■ ,i r ) the (only) path in the tree 
T from i to 7*, where ia = i and i r = i*; this terminal i, 
with the knowledge of (x^ Px| , • • ■ ,Px| r i ,Px|,), forms 
its estimate Xi(7*) of x^* through the following successive 
maximum likelihood estimates of x^ , • • ■ , Xj r _ 1 : 

Xi (ii) = x,®/ P (Px| ©Px*J, 
ki(i 2 ) = Unfa) ®/ P (P< ©P<), 

x 4 (7: r _i) = x 1 (i r - 2 )ffi/p(Px- r _ ! ffiPxL 1 ), 

and finally, 

xi(i*)=x i (v_ 1 )®/ P (Pxt_ 1 ©PxJ.)- (20) 

Proposition 2: By the successive maximum likelihood esti- 
mation above, the estimate X^(7*) at terminal 7 ^ i*, satisfies 

Pr{X 4 (7*) =X,,} > l-d-2- nr >, (21) 

for some 77 > and for all 77, sufficiently large. 

Proof: See Appendix B. ■ 

It follows directly from (OTT l that for some 77' = 77' (77, m) > 
and for all n sufficiently large, 

Pr{Xi(i*) =Xi»,l < i ^i* < d} > 1- 2-'"''. 
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(ii) SK construction: Consider a (common) standard array for 
C known to all the terminals. Denote by a^fc the element of the 
I th row and the k th column in the standard array, 1 < I < 2 m , 
1 < k < 2 n - m . Terminal i* sets K** = h« if X*. equals 
Bu kt* m me standard array. Terminal i, 1 < i ^ i* < d, sets 
Ki = ki if Xj(i*) equals aj,^ in the same standard array. 

The following theorem states that Ki* constitutes a strong 
SK with rate approaching SK capacity. 

Theorem 3: Let e > be given. Then for some 
V' = v'iVid) > and for all n sufficiently large, the rvs 
Ki, ■ ■ ■ ,Kd generated above, with range /Q* (say), satisfy 

Pi{K 1 = --- = K d }>l-2- nr >', (22) 

I{Kf A F) = 0, (23) 

= log Ite. |, (24) 

-H(Ki«) > 1 - h(p max ) - e. (25) 
n 



and 



Model 4: Let the terminals 1, 2 and 3 observe, respectively, 
n i.i.d. repetitions of the {0, l}-valued rvs X\, X% Xq, with 
joint pmf P Xl x 2 x 3 given by: 

(l-p)(l-g) 



Px lX2 x 3 (0, 0, 0) = P Xl x 2 x 3 (0, 1, 1) 
PX1X1X3 (0, 0, 1) = P Xl (0,1,0) 
P Xl x 2 x 3 a,0,0) = P Xl x 2 x 3 (1,1,1) 



pq 
2 ' 



Pj^x, (1,0,1) = P^x^Cl, 1,0) = g(1 2 P) , (26) 

w;f/z < p < g anc/ < g < 1. Terminals 1 and 2 wish to 
generate a strong PK of maximum rate, which is concealed 
from the helper terminal 3. 

Note that under the joint pmf of X\, X2, X3 above, we can 
write 

Xi = X 2 © X 3 © V, (27) 

where V = (V%, • • • , V n ) is an i.i.d. sequence of {0, l}-valued 
rvs, independent of (X2,X3), with Pr{Vi = 1} = p, 1 < i < 
n. Further, (X 2 ,X 3 ) plays the role of (X 1 ,X 2 ) in Model 1 
with q in lieu of p in the latter. 

We show below a scheme for terminals 1 and 2 to generate 
a PK with rate close to (strong) PK capacity for this model 
El, CD, 10, given by © as 

C P ({1, 2}) = I{X 1 A X 2 \X 3 ) = h(p + q- 2pq) - h{p). 

The first step of this scheme entails terminal 3 simply revealing 
its observations X3 to both terminals 1 and 2. Then, Wyner's 
SW data compression scheme is used for reconstructing xi 
at terminal 2 from the SW codeword for Xi and its own 
knowledge of x 2 © X3. 

(i) SW data compression: This step is identical to step (i) for 
Model 1, as seen with the help of d27l ). Obviously, 



for some 77 > and for all n sufficiently large. 
(ii) PK construction: Suppose that terminals 1 and 2 know a 
linear (n, n — m) code C as in Lemma 1, and a (common) 
standard array for C. Let {e, : 1 < i < 2 m } denote the set of 
coset leaders for all the cosets of C. 

For a sequence X3 6 {0,1}™, denote by Ai(x 3 ) the set 
of sequences from T^-i Xa in the coset of C with coset 

leader ej, 1 < i < 2 m . If the number of sequences of the same 
joint type with x 3 in A,-(x a ) is more than 2 n [ / ( XlAX2 l X3 )- £ 'l, 
where e' > 2£+e and e satisfies m < n[h(p)+e] (as in Lemma 
1), then collect arbitrarily 2 n [ 7 ( XlAX2 l X3 )~ e 1 such sequences 
to compose a regular subset. Continue this procedure until the 
number of sequences of every joint type with X3 in j4j(x a ) is 
less than 2 n ^^ Xl ^ x ^ x ^- £ 'y Let Ni(x 3 ) denote the number 
of distinct regular subsets of A;(x 3 ). 

For a given sequence X3, enumerate (in any way) the 
sequences in each regular subset. Let hij t k(x3), where 1 < 
i < 2 m , 1 < j < Ni{x 3 ), l<k< 2 n ^( x ^ x ^ x ^~ E '\ denote 
the k th sequence of the j th regular subset in the i th coset. 

Terminal 1 sets K\ = ki if Xi equals 
bij li fc 1 (x3); else, Ki is set to be uniformly distributed 

on jl,.-. j 2 n ^ XlAX '\ x ^- e '^\, independent of 

(Xi,X 2 ,X 3 ). Terminal 2 sets K 2 = k 2 if X 2 (l) 
equals b ij2i fc 2 (x 3 ); else, K 2 is set to be uniformly 
distributed on jl, ••• , 2 n [ / ( x i AX 2|*3)-e'] j, independent of 
(Xi.Xa.Xs,^). 

The following theorem establishes that K\ constitutes a 
strong PK with rate approaching PK capacity. 

Theorem 4: Let e > be given. Then for some r} 1 = 
rj'(r],£,s,s') > and for all n sufficiently large, the pair of 
rvs (Ki,K 2 ) generated above, with range K,\ (say), satisfy 



Pr{iv! ^ K 2 } < 2-™" , (28) 

7(X 1 AX 3 ,F)=0, (29) 

#(#!) = log |/d |, (30) 

-H(K 1 )=I(X 1 AX 2 \X 3 )-s'. (31) 



and 



Remark: The PK construction scheme above applies for any 
joint pmf Px x x 2 x 3 satisfying d27| i, and is not restricted to the 
given joint pmf in 



IV. Proofs of Theorems 1-4 

Proof of Theorem 1: It follows from the SK construction 
scheme for Model 1 that 

Vx{K x ± K 2 } = Pr{X 2 (l) ? XJ < 2~ n \ 

which is (fTTb . Since X-y is uniformly distributed on {0, 1}, we 
have for 1 < i < 2 m , 1 < j < 2 n " m , that 



Pr{X 2 (l) =Xi} > 1-2-"", 



Pr{X 1 =a l , J } = 2-". 
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Hence, 



Pr{K 1 =j} = ^Pr{X 1 = a i)i } 



= 2 



- (n— m) 



i < i < 2" 



i.e., is uniformly distributed on ICi = {1, • • • ,2" m }, and 
so 

H{K X ) = \ogT- m = n - m = log |/d|, 

which is (fT3l l. Therefore, (fl4] > holds since m < n[h(p) + e]. 

It remains to show that K\ satisfies (TTZb with F = PXj. 
Let {e^, 1 < i < 2 m } be the set of coset leaders for the cosets 
of C. For 1 < i < 2 m , 1 < j < 2 n ~ m , 



Since Pr{X 2 (l) + XJ < 2~ nr i, by the observation in the 
previous paragraph, we have 

Pr{#i + K 2 } < 2-""' 

for some rf = r)'(r),£,E,e') > and for all n sufficiently 
large, which is (TToT l. 

Next, we shall show that K\ satisfies d 1 8t > . For 1 < k < 

2 n[7(X 1 AX 2 )-e'] ) j t j s clear by choice that 



PriKi = fc|Xi g J"} = 2-"[ / (^ A ^)- e '], 



(33) 



and that 



Pr{X! = fc|Xi G F} 



Pr{K 1 =i|PX*=Pe*} = 



Pr{ifi = j,PX\ = Pel} 
Pr{PX* = Pe^} 
Pr{Xi =a i ,,-> 
E-LTP^X^a,,,} 

2~ (n — rn) 

= Pr{A- 1=J }, 

i.e., K\ is independent of F, and so I{K\ A F) = 0, 
establishing O. ■ 

Proof of Theorem 2: Let F denote the union of all regular 
subsets in Ui=i ^i- Clearly J 7 C Tj^ ^, so that 

Pr{X! G F} 

= Pr{Xi er^^Xj G F} 

= Pr{Xi e Tj^} - Pr{Xi e T^\F}. (32) 

By Proposition 1, Pr{Xi G TJ^ ^} goes to 1 exponentially 
rapidly in n. We show below that Pr{Xi G Tj^ ^\J r } decays 
to exponentially rapidly in n. 

Since the number of different types of sequences in {0, 1}™ 
does not exceed (n + l) 2 , we have that 

|{ Xl : xi G T£ i ( \T}\ < 2 m • (n + 1) 2 •2"[ / ( XlAX2 )- e '] 
< (n + 1) 2 . 2 »[^i)+— 

where the previous inequality is from m < n[h(p) + e] = 
n[H(Xi\X 2 ) + e]. 

Since PJ^Xi) < 2-^"^-^, xi G Tg iS , we get 
Pr{Xx G T^\F} < (n + 1) 2 •2-™( £ '-«- £ ). 

Choosing e' > £ + s, Pr{X x G T£ goes to 

exponentially rapidly. Therefore, it follows from ( 1321 that 
Pr{Xi G J 7 } goes to 1 exponentially rapidly in n, with 
exponent depending on (£,£,£'). 

By the SK construction scheme for Model 2, 

Pr{Xx ± K 2 } 

= Pi{K! M2,Xi£J} + Pr{^ ^ X 2 , X a £ F} 

< Pr{X 2 (l) ^X 1; X! G^} + Pr{Xx 

< Pr{X 2 (l)^Xx} + Pr{Xx g F}. 



Pr{K 1 = k, Xi G F} 
Pr{X! G F} 
ECiE^iPr{X 1 = b il3 - fc } 



(34) 



" E^l ESl 2^(X 1 AX 2 )-e'] Pr{Xl = bijJ - fe } 
_ 2 -n[/(X 1 AX 2 )-e'] (35-) 

where d34b is due to every regular subset consisting of se- 
quences of the same type. From d33l and Q5b . 

Pr{^! = k} = 2-"I / ( Xl A ^)-e'] f (36) 
i.e., is uniformly distributed on JCi = 

Vi)=^iA^)-e', 
n 

which is (TT~9b . 

It remains to show that K\ satisfies ( fTTI i with F = PX*. 

For 1 < i < 2 m , 1 < k < 2 n ^( x ^ AX ^- e '\ we have 

Pv{Ki = k\PX\ = Pe*,Xi £ F} = 2~ n ^ x ^ x ^-^ 
by choice, and 

Px{K x = k\PX\ = Pe*,X! G F} 

Pt{K 1 = fc.PXj = Pe^Xj G F} 
Pr{PX* = Pe*,Xi G F} 

Efij Pr{Xi = b itj , k } 



Ej=i 2«[/(^ 1 AX 2 )-e'] Pr{Xl = bij . fe} 

= 2 -n[J(X 1 AX 2 )- £ '] 

Hence, 

Pr{/fx = fclPX^ = Pe^} 

= Pr{K 1 = /cIPX 4 ! = Pe^, Xi eJ}x 
Pr{X! G J-|PX* = Pe*} 
+ Pr{A'i = k\PX\ = Pe*,Xi <^ F} x 
Pr{Xi ^ J1PX* = Pe^} 

. . 2- n [ I (Xi/\X 2 )-e'] 

= Px{K x = k}, 

where the previous equality follows from (136) . Thus, Ki is 
independent of F, establishing ( fTTT i. ■ 

Proof of Theorem 3: Applying the same arguments used in 
Theorem 1, we see that the rvs K-y, ■ ■ ■ , K m satisfy ( f22l . ( |24| ) 



s 



and ((25). It then remains to show that Ki» satisfies ( f23b with 
F=(PX*,---,PX*). 

Under the given joint pmf Px\—x#> for each i ^ i*, we 
can write 

X; = x<. eVi, 

where Vj = (T^ ].,••• , Vi >n ) is an i.i.d. sequence of {0,1}- 
valued rvs. Further, V^, 1 < i ^ i* < d, and X,* are mutually 
independent. Then, 

I{Ki» A F) 

= I{K { . A{PX*, l<i<d}) 

< I(Ki* A PX^,, {PV*, 1 < i i* < d}) 

< I(Ki, APXj.) 

PX*> A {PV*, 1 < i ^ f < d}). (37) 

Clearly, the first term on the right hand side of (137) 1 is zero. 
Since for a fixed P, (K^ , PX*» ) is a function of Xj», 

/(Jfi-.PXJ. A {PV*, 1 < i^i* < d}) 

< I(X t , A {V 4 , 1 < i ± i* < d}) = 0, 

i.e., Ki* is independent of F, establishing (l23l . ■ 

Proof of Theorem 4: For every x 3 g {0, 1}™, let J-"(x 3 ) 
denote the union of all regular subsets in U*=i ^«( x 3)- Since 
^(x3)CT« i|X34 (x 3 ), 

Pr{X x g J-(X 3 )} = Pr{X a g T£ i|x ^(X 3 )} 

-Pr{X a g T£ i|x ^(X 3 )VF(X 3 )}(38) 

It follows from Proposition 1 that Pr{Xx g T x x \X 3 ^( X 3)} 
goes to 1 exponentially rapidly in n. We show below that 
Pr{Xi g T" X3? (X 3 )\.F(X 3 )} goes to exponentially 
rapidly in n. 

Recall that the number of different joint types of pairs in 
{0, 1}™ x {0, 1}™ does not exceed (n + l) 4 . Thus, 

{ Xl : xx e T5 i|X3i £(x 3 )VF(x 3 )} 

< 2 m • (n + l) 4 • 2"[ / ( XlAX2 l X3 )~ e '] 

where the previous inequality is from m < n[h(p) + e] = 
n[H(X 1 \X 2 ,X 3 )+e}. 

Since ^^.(xilxa) < 2-^ H{ - x ^-^\ ( Xl ,x 3 ) £ 

T XiX 3 ,£> we S et 

Pr{X x 6 T" i|x ^(X 3 )\.F(X 3 )} < (n + l) 4 • 2^'-^. 

Choosing e' > 2£ + e, Pr{X a g TjJ i|f 3 ? (X 3 )\J-(X 3 )} goes 
to exponentially rapidly. Therefore, it follows from ( f38l > that 
Pr{Xi g J^X^} goes to 1 exponentially rapidly in n, with 
an exponent depending on (£, e,e'). 

By the PK construction scheme for Model 4, 

Pr{tf x ^ K 2 } 

= Pr{ J fiT 1 ^ ^ 2 ,Xa g .F(x 3 )} + Pr{^ ^ X 2 ,X a ^(x 3 )} 
<Pr{X 2 (l)^Xi,Xi G < F(x 3 )} + Pr{X 1 £*.F(x 3 )} 
< Pr{X 2 (l) ^ Xx} + Pr{Xx g* ^(X 3 )}. 



Since Pr{X 2 (l) ^ X x } < 2 -rw ' by the observation in the 
previous paragraph, we have 

Pr{/^ ^X 2 } < 2-"\ 

for some rf = r)'(r),£,E,e') > and for all n sufficiently 
large, which is (1281 . 

Next, we shall show that K\ satisfies d30]l. For x 3 g {0, 1}" 
and 1 < k < 2 n V( XlAX2 \ x ^- E '\ it is clear by choice that 

Pr{tfx = fc|X x £ ^(x 3 ),X 3 = x 3 } = 2 -»^(^AX 2 |x 3 )- E '] ) 
and that 

Pr^ = fc|Xi G.F(x 3 ),X 3 =x 3 } 
= Pr{^! = fc,X! g.F(x 3 )|X 3 =x 3 } 
Pr{Xi gJT(x 3 )|X 3 = x 3 } 

Eti Efj X3) p^{Xi = b tJ , fc (x 3 )|x 3 = x 3 } 

Eill Ef= ( l X3) 2^(^AX 2 |X 3 )-e'] p r{Xl = bi)J - fe (x 3 )|X 3 = X 3 } 
_ 2-n[i"(X 1 AX 2 |X 3 )-£ / ] 

where the second equality is due to every regular subset 
consisting of sequences of the same joint type with x 3 . 
Therefore, 

Pr{if x = k} = Pr i^i = fc, X 3 = x 3 } 

x 3 e{o,i}» 

[Pr{Xx e^(x 3 ),X 3 =x 3 } x 

x 3 e{o,i}" 

Pr{Xx =fc|Xx e^(x 3 ),X 3 = x 3 } 
+ Pr{Xx 0^(x 3 ),X 3 =x 3 } x 
Pr{^ = fc|X x £.F(x 3 ),X 3 =x 3 }] 
_ 2 - n i I ( x ^ AX ^ x ^- £ '\ (39) 

i.e., K\ is uniformly distributed on K\ = 

ji,... ^( x ^ x ^)-^y with 

-H(K 1 )=I(X 1 AX 2 \X 3 )-e', 
n 

which is (1311 1. 

It remains to show that K\ satisfies d29l with (X 3 ,F) = 
(X 3 ,PX*). For x 3 g {0,1}", 1 < i < 2 m and 1 < k < 

2n[I(X 1 AX 2 \X 3 )-e']^ we haye 

Pr{iT 1 = fc|PX* =PeJ,Xi ^^(x 3 ),X 3 =x 3 } 

_ 2 -™[ / ( x i AX 2|X 3 )-e'] 

by choice, and 

Pr}^ = fc|PX* = Pe*,X! G ^(x 3 ),X 3 = x 3 } 
= Pr{Ki = fc.PXj = Pe*,X! g .F(x 3 )|X 3 = x 3 } 
Pr{PX* = Pe*,Xx g J-(x 3 )|X 3 = x 3 } 

ggg Pr{Xj = fc (x 3 )|X 3 = x 3 } 

- E ^(xs) 2 « [ J(X 1 AX 2 |X 3 )- e '] p r{Xl = b idl fc (x 3 )|X 3 = X 3 } 

_ 2-n[I(X 1 AX 2 \X 3 )-e'] 
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Hence, 

Pr{ir 1 = fe|PX*=Pe!,X 3 =x 3 } 

= Pr{iTi = k}, 

where the previous equality follows from 
independent of (X3,F), establishing 



Thus, K\ is 



V. Implementation with LDPC Codes 

We outline an implementation using LDPC codes (cf. e.g., 
ED, ED, (34), ED) of the scheme for the construction of 
a SK for Model 1 in Section EH. As will be indicated below, 
similar implementations can be applied to Models 2-A as well. 

A. SK construction 

Without any loss of generality, we consider a systematic 
(n,n — m) LDPC code C with generator matrix G = 
[I n _ m A], where I n _ m is an (n — m) x (n — m)-identity 
matrix and A is an (n — m) x m-matrix. Then, the parity check 
matrix for C is P = [A* I m ], where I m is an m x m-identity 
matrix. The first n—m bits of every codeword in C, namely the 
information bits, are pairwise distinct. Further, since the coset 
with coset leader a;, 1 < i < 2 m , must contain the sequence 
t>i = [0„_ m ejP*], with n -m denoting a sequence of n — m 
zeros, the first (n — m)-bit-segments of the sequences in the 
coset {hi c, c £ C} are pairwise distinct. 

Terminal 1 transmits the syndrome Px*, whereupon ter- 
minal 2, knowing (x2,Px^), applies the belief -propagation 
algorithm described in lfl9l to estimate X2(l). Since the first 
n — m bits of the sequences in each coset are pairwise distinct, 
these bits can serve as the index of a sequence in its coset. 
Then, terminal 1 (resp. 2) sets K\ (resp. K%) as the first n — m 
bits of Xi (resp. X2(l)). 

The same implementation of the SW data compression 
scheme above holds for Models 2 and 4, too. It can be applied 
repeatedly also for the successive estimates ( f20b in Model 3. 
In Model 3, Ki* (resp. Ki, i ^ i*) is set as the first n — m 
bits of Xi» (resp. Xi(i*)). It should be noted that the current 
complexity of generating regular subsets in Models 2 and 4 
poses a hurdle for explicit efficient constructions of a SK and 
a PK, respectively, for these models. 

B. Simulation Results 

We provide simulation results for the tradeoff between the 
relative secret key rate (i.e., the difference between the SK 
capacity and the rate of the generated SK) and the rate of 
generating unequal SKs at different terminals (corresponding 
to the bit error rate in SK-matching), when LDPC codes are 
used for SK construction in Model 1. 

For the purpose of comparison, three different LDPC codes 
were used: (i) a (3, 4)-regular LDPC code; (ii) a (3, 6)-regular 
LDPC code; and (iii) an irregular LDPC code with degree 
distribution pair (cf. (19|) 

\{x) = 0.234029a; + 0.212425a; 2 + 0.146898a; 5 

+0. 102840a; 6 + 0.303808a; 19 , 
p{x) = 0.71875x 7 + 0.28125a; 8 , 
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H(X 1 |X 2 )=h(p) (bits) 



Fig. 1. Simulation results for the (3, 6)-regular and the irregular LDPC 
codes. 



with a common codeword length of 10 3 bits, and upto 60 
iterations of the belief-propagation algorithm were allowed. 
Over 10 3 blocks were transmitted from terminal 1. 

Simulation results are shown in Figures 1 and 2, where 
conditional entropy (i.e., H(Xi\X2) = h(p)) is plotted against 
key bit error rate (KBER). We note that in this simulation SKs 
are generated at fixed rates that are equal to the rates of the 
LDPC codes used. Since for Model 1, SK capacity equals 
1 — h(p), the conditional entropy h(p) serves as an indicator 
of the gap between SK capacity and the rate of the generated 
SK. 

Figure 1 shows the performance of the (3, 6)-regular and 
the irregular LDPC codes; Figure 2 shows the performance of 
the (3, 4) -regular LDPC code. It is seen in both figures that 
KBER increases with h(p). Since SK capacity decreases with 
increasing h(p), an increase of h(p) narrows the gap between 
SK capacity and the rate of the generated SK, but raises the 
likelihood of generating unequal SKs at the two terminals. 

It is seen from Figure 1 that the irregular LDPC code 
outperforms the (3, 6)-regular LDPC code. For instance, for a 
fixed crossover probability p = 0.068, say, and h(p) « 0.3584, 
the KBER for the irregular LDPC code is as low as 10 -5 , 
while the KBER for the (3, 6)-regular LDPC code is only 
about 4 x 10 -3 . 

VI. Discussion 

We have considered four simple secrecy generation models 
involving multiple terminals, and propose a new approach for 
constructing SKs and PKs. This approach is based on Wyner's 
well-known SW data compression code for sources connected 
by virtual channels with additive independent noise. 

In all the models considered in this paper, the i.i.d. se- 
quences observed at the different terminals possesses the fol- 
lowing structure: They can be described in terms of sequences 
at pairs of terminals where each terminal in a pair is connected 
to the other terminal by a virtual communication channel with 
additive independent noise. 

There are two steps in the SK construction schemes. The 
first step constitutes SW data compression for the purpose 
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Fig. 2. Simulation results for the (3, 4)-regular LDPC code. 



of common randomness generation at the terminals. Although 
the existence of linear data compression codes with rate 
arbitrarily close to the SW bound has been long known for 
arbitrarily correlated sources Q, constructions of such linear 
data compression codes are understood in terms of the cosets 
of linear error-correction codes for the virtual channel, say 
Pxl|x 2 > on ly when this virtual channel is characterized by 
(independent) additive noise |37l . For instance, when two 
terminals are connected by a virtual BSC Px x \x^ a linear 
data compression code, which attains the SW rate H.{X\\X<2) 
for terminal 2 to reconstruct the signal at terminal 1, is then 
provided by a linear channel code which achieves the capacity 
of the BSC Px x \Xi- 

When the i.i.d. sequences observed at terminals 1 and 2 are 
arbitrarily correlated, the associated virtual communication 
channel Px 1 \x 2 connecting them is no longer symmetric and 
corresponds to a virtual channel with input-dependent noise. 
In this case, while linear codes are no longer rate-optimal for 
the given channel 1101 . linear code constructions for a suitably 
enlarged "semisymmetric" channel that are used for SW data 
compression 1T41 could pave the way for devising schemes for 
SK construction. 

The second step in the SK construction schemes involves 
SK extraction from the previously acquired CR. It has been 
shown 1 25 1 that for the special case of a two-terminal source 
model, this extraction can be accomplished by means of a 
linear transformation. However, it is unknown yet whether this 
holds also for a general source model with more than two 
terminals. 



Appendix A: Proof of Proposition 1 

We shall prove (O here. The proof of jSJ, which is similar, 
is omitted. Fix 5 > and consider the set T[p x ] 5 of sequences 
in X n which are Px-typical with constant 5 (cf. p. 33]), 
i.e., 



1 [Px]i 



{x G X" : max\PJa) 



Px(a)\ <S}. 



Since T<p, is the union of the sets of those types P of 
sequences in X n that satisfy 



max|P(a) - P x (a)\ < S, 



(A.1) 



we have 

E p x^) 



xe r, 



E P X ({*:P X = P}' 

P:max aex \P(a)-P x (a)|><5 

< (n+ 1)1*1 • 2~ nminp ™ in °zx l^(»)- p x(«)l>i D (P\\ p x) 



(A.2) 



using the fact that P£({x : P x = P}) < 2~ nD ( p ^ (cf. 
Lemma 2.6]). 

Next, by Pinsker's inequality (cf. e.g., |6, p. 58]), 

If- x2 



> 



2/n2 \aex 
S 2 



2lnT 



(A.3) 



with the previous inequality holding for every P in jA.lt . It 
follows from (IA.21> and (IA.3b that 



(A.4) 



E P£(x)>l-(n+ 1)1*1.2" 



for all n > 1. 

Finally, observe that 



CT X4 , if £ = 6 



(A.5) 



which is readily seen from the fact that for each x £ X n , 

~ log P^)-H{P X ) 

= -- log ( 2 -"[ ff ( p =) +I5 ^ll p -)]) - H(P X ) 
= H(P X ) + D(P X \\P X )-H(P X ) 

= H(P X ) - H(P X ) + E Pc(a) log - H(Px) 

ttx Px{a) 

= E I p x(a) ~Px(a)} log -1^. 
Clearly, dA.4l ) and JA.Sb imply ©. 



Appendix B: Proof of Proposition 2 

The proof of Proposition 2 relies on the following lemma 
concerning the average error probability of maximum likeli- 
hood decoding. 

A sequence u S {0, 1}™ is called a descendent of a sequence 
v 6 {0, l} n if Ui = 1 implies that Uj = 1, 1 < i < n. A subset 
Q C {0,l} n is called quasiadmissible if the conditions that 
u G 51 and u is a descendent of v together imply that v G 17. 

Lemma 2 [22]: If £7 is a quasiadmissible subset of {0, l} n , 
then for < p < 1, 

dfj,p(p.) 



dp 



>0, 
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where 

^(fi) = ^ p ™«( x )(i _ p )«-«M x ), 

xSfi 

with wh(x) denoting the Hamming weight of x. ■ 

For a binary linear code, let E denote the set of coset lead- 
ers. It is known (cf. ES Theorem 3.11]) that fi' = {0, 1}"\E 
is a quasiadmissible subset of {0, 1}™. If a binary linear code 
is used on BSC(p), the average error probability of maximum 
likelihood decoding is given by (cf. ll32l Theorem 5.3.3]) 

Lemma 2 implies that if the same binary linear code is used 
on two binary symmetric channels with different crossover 
probabilities, say, < p\ < P2 < \, then the average error 
probability of maximum likelihood decoding for a BSC(pi) is 
strictly less than that for a BSC(p2); note that a BSCfe) is a 
degraded version of a BSC(pi), being a cascade of the latter 
and a BSC(f^). 

Returning to the proof of Proposition 2, it follows from 
Lemma 1 that for some 77 > and for all n sufficiently large, 

Pr{X i .(i*)^X i .}<2- TO ». 

Recall that P(i* ,_,-•) = max (!jJ ) ££(r ) and (i = 

*0j *ij * • ■ >V = i*) is the path from i to i* , It follows by 
Lemma 2 that 

Pr{Xi(*i) ± XJ < Pr{X r (0 ± X.} < 2-"". 
Consequently, 

Pr{Xi(i 2 ) ^ X. l2 } < Pr{X 4 (z 2 ) ^ X^X^) ^ XiJ 
+ Pr{Xi(i 2 )^X i2 ,X i (ii)=X il } 
< 2 • 2~ ? " ) . 

Continuing this procedure, we have finally that 

Pr{X 4 (r) ^ X,,} < r • 2- nr > < d • 2~ m '. 
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